Exemple #1
0
def csrf_attack_body(url, method, headers, body, csrf_param, scanid):
    tmp_headers = {}
    http_status_code, response_size = csrf_request(url, method, headers, body)
    if csrf_param is not None:
        csrf_param_value = generate_csrf_token(str(body['csrf_param']))
        body['csrf_param'] = csrf_param_value

    csrf_req_body = req.api_request(url, method, headers, body)
    if str(csrf_req_body.status_code)[0] == '4' or \
            str(csrf_req_body.status_code)[0] == '5':
        return

    if csrf_req_body.status_code == http_status_code:
        if len(csrf_req_body.text) == response_size:
            # Testing for JSON based CSRF - Blind CSRF
            tmp_headers.update(headers)
            tmp_headers['Content-Type'] = 'text/plain'
            json_csrf = req.api_request(url, method, tmp_headers, body)
            if str(json_csrf.status_code)[0] == '4' or \
                    str(json_csrf.status_code)[0] == '5':
                # Application is validating content-type header.
                # Only way to bypass is using flash based technique.
                impact = "Medium"
            else:
                impact = "High"
                headers = tmp_headers

            print "%s[-]{0} is vulnerable to CSRF attack%s".format(url) % (
                api_logger.R, api_logger.W)
            attack_result = {"id": 6, "scanid": scanid, "url": url,
                             "alert": "CSRF", "impact": impact,
                             "req_headers": headers, "req_body": body,
                             "res_headers": json_csrf.headers,
                             "res_body": json_csrf.text}
            dbupdate.insert_record(attack_result)
Exemple #2
0
def xss_get_url(url,method,headers,body,scanid=None):
    # Check for URL based XSS. 
    # Ex: http://localhost/<payload>, http://localhost//?randomparam=<payload>
    result = ''
    parsed_url = ''
    xss_payloads = fetch_xss_payload()
    uri_check_list = ['?', '&', '=', '%3F', '%26', '%3D']
    for uri_list in uri_check_list:
        if uri_list in url:
            # Parse domain name from URI.
            parsed_url = urlparse.urlparse(url).scheme+"://"+urlparse.urlparse(url).netloc+urlparse.urlparse(url).path
            break

    if parsed_url == '':
        parsed_url = url

    for payload in xss_payloads:
        decoded_payload = xss_payload_decode(payload)
        xss_request_url = req.api_request(parsed_url+'/'+payload,"GET",headers)
        if result is not True:
            if xss_request_url.text.find(decoded_payload) != -1:
                impact = check_xss_impact(xss_request_url.headers)
                attack_result = { "id" : 11, "scanid" : scanid, "url" : url, "alert": "Cross Site Scripting", "impact": impact, "req_headers": headers, "req_body":body, "res_headers": xss_request_url.headers ,"res_body": xss_request_url.text}
                dbupdate.insert_record(attack_result)
                result = True

        xss_request_uri = req.api_request(parsed_url+'/?test='+payload,"GET",headers)             
        if xss_request_uri.text.find(decoded_payload) != -1:
            impact = check_xss_impact(xss_request_uri.headers)
            logs.logging.info("%s is vulnerable to XSS",url)
            print "%s[{0}] {1} is vulnerable to XSS%s".format(impact,url)% (api_logger.G, api_logger.W)
            attack_result = { "id" : 11, "scanid" : scanid, "url" : url, "alert": "Cross Site Scripting", "impact": impact, "req_headers": headers, "req_body":body, "res_headers": xss_request_url.headers ,"res_body": xss_request_url.text}
            dbupdate.insert_record(attack_result)
Exemple #3
0
def csrf_attack_header(url, method, headers, body, csrf_header, csrf_test_type,
                       scanid):
    # This function performs CSRF attack with various techniques.
    if csrf_test_type == "header":
        updated_headers = headers.copy()
        http_status_code, response_size = csrf_request(url, method, headers,
                                                       body)
        # Delete the CSRF header and send the request
        updated_headers = csrf_header_remove(updated_headers, csrf_header)
        csrf_req = req.api_request(url, method, updated_headers, body)

        if (str(csrf_req.status_code)[0] == '4' or
                str(csrf_req.status_code)[0] == '5'):
            return

        if csrf_req.status_code == http_status_code:
            if len(csrf_req.text) == response_size:
                print "%s[-]{0} is vulnerable to CSRF attack%s" \
                          .format(url) % (api_logger.R, api_logger.W)
                attack_result = {"id": 6, "scanid": scanid, "url": url,
                                 "alert": "CSRF", "impact": "High",
                                 "req_headers": headers,
                                 "res_headers": csrf_req.headers,
                                 "res_body": csrf_req.text}
                dbupdate.insert_record(attack_result)
                return

        try:
            csrf_header_value = headers[csrf_header]
            csrf_header_value = generate_csrf_token(str(csrf_header_value))
            # Updating CSRF value. Ex X-XSRF-token : xyz
            headers[csrf_header] = csrf_header_value
            new_csrf_req = req.api_request(url, method, updated_headers, body)
            if (str(csrf_req.status_code)[0] == '4' or
                    str(csrf_req.status_code)[0] == '5'):
                return

            if csrf_req.status_code == http_status_code:
                if len(csrf_req.text) == response_size:
                    # Check for CORS
                    result = check_custom_header(url, csrf_header)
                    if result:
                        print "%s[-]{0} is vulnerable to CSRF attack%s".format(
                            url) % (api_logger.R, api_logger.W)
                        attack_result = {"id": 6, "scanid": scanid, "url": url,
                                         "alert": "CSRF", "impact": "High",
                                         "req_headers": headers,
                                         "req_body": body,
                                         "res_headers": csrf_req.headers,
                                         "res_body": csrf_req.text}
                        dbupdate.insert_record(attack_result)

        except Exception:
            return
Exemple #4
0
def start_scan(task_id):
    # Starting a new scan
    data = {}
    scan_start_url = base_url + "/scan/" + task_id + "/start"
    scan_start_resp = req.api_request(scan_start_url, "POST", api_header, data)
    if scan_start_resp.status_code == 200:
        return json.loads(scan_start_resp.text)['success']
Exemple #5
0
def xss_post_method(url,method,headers,body,scanid=None):
    # This function checks XSS through POST method.
    temp_body = {}
    post_vul_param = ''
    db_update = ''
    for key,value in body.items():
        xss_payloads = fetch_xss_payload()
        for payload in xss_payloads:
            temp_body.update(body)
            temp_body[key] = payload
            xss_post_request = req.api_request(url, "POST", headers, temp_body)
            decoded_payload = xss_payload_decode(payload)
            if xss_post_request.text.find(decoded_payload) != -1:
                impact = check_xss_impact(xss_post_request.headers)
                if db_update is not True:
                    attack_result = { "id" : 11, "scanid" : scanid, "url" : url, "alert": "Cross Site Scripting", "impact": impact, "req_headers": headers, "req_body":temp_body, "res_headers": xss_post_request.headers ,"res_body": xss_post_request.text}
                    dbupdate.insert_record(attack_result)
                    db_update = True
                    post_vul_param += key
                    break
                else:
                    if post_vul_param == '':
                        post_vul_param += key
                    else:
                        post_vul_param += ','+key 
                    break

    if post_vul_param:
        # Update all vulnerable params to db.
        logs.logging.info("%s Vulnerable Params:",post_vul_param)
        dbupdate.update_record({"scanid": scanid}, {"$set" : {"scan_data" : post_vul_param+" are vulnerable to XSS"}})
Exemple #6
0
def cors_main(url, method, headers, body, scanid=None):
    temp_headers = {}
    temp_headers.update(headers)
    origin_headers = generate_origin(url)
    logs.logging.info("List of origin headers: %s", origin_headers)
    for origin in origin_headers:
        origin_header = {"origin": origin}
        temp_headers.update(origin_header)
        if (method.upper() == 'GET' or method.upper() == 'POST'
                or method.upper() == "PUT"):
            """
            If request method is POST then browser usually
            sends preflight request
            """
            option_response = req.api_request(url, "OPTIONS", temp_headers)
            result = cors_check(origin, option_response.headers)
            if result:
                print "%s[+]{0} is vulnerable to cross domain attack %s "\
                          .format(url) % (api_logger.G, api_logger.W)
                attack_result = {
                    "id": 1,
                    "scanid": scanid,
                    "url": url,
                    "alert": "CORS Misconfiguration",
                    "impact": result['impact'],
                    "req_headers": temp_headers,
                    "req_body": body,
                    "res_headers": option_response.headers,
                    "res_body": "NA"
                }
                dbupdate.insert_record(attack_result)
                break

    logs.logging.info("Scan completed for cross domain attack: %s", url)
Exemple #7
0
def fuzz_url(url, method, headers, body, scanid):
    # Fuzzing target URL with different params.
    parsed_url = urlparse.urlparse(url)
    target_domain = parsed_url.scheme + "://" + parsed_url.netloc + "/"
    redirect_payload = fetch_open_redirect_payload()
    for payload in redirect_payload:
        try:
            target_url = target_domain + payload.replace(
                "{target}", redirection_url)
        except:
            target_url = target_domain + payload

        fuzz_req = req.api_request(target_url, "GET", headers)
        if str(fuzz_req.status_code)[0] == '3':
            if fuzz_req.headers['Location'].startswith(
                    redirection_url) is True:
                print "%s[ Medium ] {0} is vulnerable to open redirection%s".format(
                    url) % (api_logger.Y, api_logger.W)
                logs.logging.info("%s is vulnerable to open redirection", url)
                attack_result = {
                    "id": 12,
                    "scanid": scanid,
                    "url": target_url,
                    "alert": "Open redirection",
                    "impact": "Medium",
                    "req_headers": headers,
                    "req_body": body,
                    "res_headers": fuzz_req.headers,
                    "res_body": "NA"
                }
                dbupdate.insert_record(attack_result)
                return
Exemple #8
0
def brute_force(url,method,headers,body,attack_params,scanid):
	attack_result = {}
	failed_set = ['exceed','captcha','too many','rate limit','Maximum login']
	if len(attack_params) == 1:
		# attack_params[0] is a first value from list Ex Pin, password
		param_value = body[attack_params[0]] # param_value is a value of param. Example: 1234
		if type(param_value) == int:
			length = len(str(param_value))
			brute_list = generate_list(length,'int')

		elif type(param_value) == str or type(param_value) == unicode:
			length = len(param_value)
			brute_list = generate_list(length,'str')

		# Starting brute force attack.
		count = 0
		if brute_list is not None: 
			for value in brute_list:
				# Mdofiying a json data and update the dictionary. 
				# Example:{"Username":"******",password:"******"}
				#		  {"Username":"******",password:"******"}
				body[attack_params[0]] = value
				auth_type = get_value('config.property','login','auth_type')
				if auth_type == "cookie":
					try:
						del headers['Cookie']
					except:
						pass

				brute_request = req.api_request(url,method,headers,body)
				if brute_request is not None:
					if count == 0:
						http_len = len(brute_request.text)
						count += count
				
			if len(brute_request.text) == http_len:
				if str(brute_request.status_code)[0] == '2' or  str(brute_request.status_code)[0] == '4':
					for failed_name in failed_set:
						 if failed_name in brute_request.text:
						 	# Brute force protection detected :-( 
						 	result = False
						 	break
						 else:
						 	result = True
				
			if result is True:
				attack_result = {
							 "id" : 7,
							 "scanid":scanid,
							 "url" : url,
							 "alert": "Missing Rate limit",
							 "impact": "High",
							 "req_headers": headers,
							 "req_body" : body,
							 "res_headers": brute_request.headers,
							 "res_body" : brute_request.text

				}

			return attack_result
Exemple #9
0
def crlf_post_method(uri, method, headers, body, scanid=None):
    # This function checks CRLF through POST method.
    temp_body = {}
    for key, value in body.items():
        crlf_payloads = fetch_crlf_payload()
        for payload in crlf_payloads:
            temp_body.update(body)
            temp_body[key] = payload
            crlf_post_request = req.api_request(uri, "POST", headers,
                                                temp_body)
            for name in crlf_post_request.headers:
                if "CRLF-Test" in name:
                    attack_result = {
                        "id": 13,
                        "scanid": scanid,
                        "url": uri,
                        "alert": "CRLF injection",
                        "impact": "High",
                        "req_headers": headers,
                        "req_body": temp_body,
                        "res_headers": crlf_post_request.headers,
                        "res_body": crlf_post_request.text
                    }
                    dbupdate.insert_record(attack_result)
                    print "[+]{0} is vulnerable to CRLF injection".format(uri)
                    return
Exemple #10
0
def crlf_get_uri_method(uri, method, headers, scanid=None):
    # This function checks CRLF through GET URI method.
    par_key = {}
    url_query = urlparse.urlparse(uri)
    parsed_query = urlparse.parse_qs(url_query.query)
    for key, value in parsed_query.items():
        crlf_payloads = fetch_crlf_payload()
        for payload in crlf_payloads:
            par_key.update(parsed_query)
            par_key[key] = payload
            parsed_uri = urlparse.urlparse(
                uri).scheme + "://" + urlparse.urlparse(
                    uri).netloc + urlparse.urlparse(
                        uri).path + "?" + urlparse.urlparse(uri).query.replace(
                            value[0], payload)
            crlf_get_method = req.api_request(parsed_uri, "GET", headers)
            for name in crlf_get_method.headers:
                if "CRLF-Test" in name:
                    attack_result = {
                        "id": 13,
                        "scanid": scanid,
                        "url": parsed_uri,
                        "alert": "CRLF injection",
                        "impact": "High",
                        "req_headers": headers,
                        "req_body": "NA",
                        "res_headers": crlf_get_method.headers,
                        "res_body": crlf_get_method.text
                    }
                    dbupdate.insert_record(attack_result)
                    print "[+]{0} is vulnerable to CRLF injection".format(
                        parsed_uri)
                    return
Exemple #11
0
def csrf_request(url, method, headers, body):
    # Send orginal request without removing CSRF header or param.
    try:
        http_request = req.api_request(url, method, headers, body)
        return http_request.status_code, len(http_request.text)
    except Exception as e:
        sys.exit(1)
Exemple #12
0
def csrf_attack_body(url,method,headers,body,csrf_param,scanid):
	http_status_code, response_size = csrf_request(url,method,headers,body)
	csrf_param_value = generate_csrf_token(str(body['csrf_param']))
	body['csrf_param'] = csrf_param_value
	csrf_req_body = req.api_request(url,method,headers,body)
	if str(csrf_req_body.status_code)[0] == '4' or str(csrf_req_body.status_code)[0] == '5':
		return
	if csrf_req_body.status_code == http_status_code:
			if len(csrf_req_body.text) == response_size:
				# Testing for JSON based CSRF - Blind CSRF
				headers['Content-Type'] = 'text/plain'
				json_csrf = req.api_request(url,method,headers,body)
				if str(csrf_req_body.status_code)[0] == '4' or str(csrf_req_body.status_code)[0] == '5':
					return
				else:
					print "%s[-]{0} is vulnerable to CSRF attack%s".format(url)% (api_logger.R, api_logger.W)
					attack_result = { "id" : 6, "scanid":scanid, "url" : url, "alert": "Blind CSRF", "impact": "High", "req_headers": headers, "req_body":body, "res_headers": "NA"}
					dbupdate.insert_record(attack_result)
Exemple #13
0
def set_options_list(url, method, headers, body, task_id):
    # Setting up url,headers, body for scan
    options_set_url = base_url + "/option/" + task_id + "/set"
    data = {}
    data['url'], data['method'], data['headers'] = url, method, headers
    if method.upper() == 'POST' or method.upper() == 'PUT':
        data['data'] = body
    options_list = req.api_request(options_set_url, "POST", api_header, data)
    if options_list.status_code == 200:
        return json.loads(options_list.text)['success']
Exemple #14
0
def show_scan_data(task_id):
    scan_data_url = base_url + "/scan/" + task_id + "/data"
    scan_start_resp = req.api_request(scan_data_url, "GET", api_header)
    global scan_data
    scan_data = json.loads(scan_start_resp.text)['data']
    if scan_data:
        logs.logging.info("API is vulnerable to sql injection")
        return True
    else:
        logs.logging.info("API is not vulnerable to sql injection")
Exemple #15
0
def session_fixation(url, method, headers, body, scanid):
    # This function deals with checking session fixation issue.
    attack_result = {}
    login_result = get_value('config.property', 'login', 'loginresult')
    logout_result = get_value('config.property', 'logout', 'logoutresult')
    if login_result == 'Y' and logout_result == 'Y':
        login_data, logout_data = get_authdata()
        if url == login_data['loginurl']:
            logs.logging.info("Checking for Sesion fixation: %s", url)
            url, method, headers, body = (logout_data['logouturl'],
                                          logout_data['logoutmethod'],
                                          logout_data['logoutheaders'],
                                          logout_data['logoutbody'])
            logout_headers, auth_old = add_authheader(headers)
            try:
                logout_body = ast.literal_eval(base64.b64decode(body))
            except:
                logout_body = None
            logs.logging.info("Logout request %s %s %s", url, logout_headers,
                              logout_body)
            logout_req = req.api_request(url, method, logout_headers,
                                         logout_body)
            if logout_req is None or str(logout_req.status_code)[0] == '4' or \
                    str(logout_req.status_code)[0] == '5':
                print "%s[!]Failed to logout. Session fixation attack won't" \
                      " be tested. Check log file for more information.%s"\
                      % (api_logger.Y, api_logger.W)
                return
            # Try to relogin and check if the application is serving the
            # previous session
            login_url, login_method, login_headers, login_body = (
                login_data['loginurl'], login_data['loginmethod'],
                login_data['loginheaders'], login_data['loginbody'])
            logs.logging.info("Login request %s %s %s", url, headers, body)
            login_req = api_login.fetch_logintoken(
                login_url, login_method, ast.literal_eval(login_headers),
                ast.literal_eval(login_body))
            if login_req is True:
                logs.logging.info("Relogin Successful")
                auth_new = get_value('config.property', 'login', 'auth')
                if auth_old == auth_new:
                    attack_result.update({
                        "id": 5,
                        "scanid": scanid,
                        "url": login_url,
                        "alert": "Session Fixation",
                        "impact": "Medium",
                        "req_headers": login_headers,
                        "req_body": req_body,
                        "res_headers": "NA",
                        "res_body": "NA"
                    })

                    dbupdate.insert_record(attack_result)
Exemple #16
0
def scan_status(task_id):
    # This function deals checking scan status and also check for vulnerability.
    status_url = base_url + "/scan/" + task_id + "/status"
    while True:
        status_url_resp = req.api_request(status_url, "GET", api_header)
        if json.loads(status_url_resp.text)['status'] == "terminated":
            result = show_scan_data(task_id)
            return result
        else:
            # Wait for 10 second and check the status again
            time.sleep(10)
Exemple #17
0
def xss_http_headers(url,method,headers,body,scanid=None):
    # This function checks different header based XSS.
    # XSS via Host header (Limited to IE)
    # Reference : http://sagarpopat.in/2017/03/06/yahooxss/
    temp_headers = {}
    temp_headers.update(headers)
    xss_payloads = fetch_xss_payload()
    for payload in xss_payloads:
        parse_domain = urlparse.urlparse(url).netloc
        host_header = {"Host" : parse_domain + '/' + payload}
        temp_headers.update(host_header)
        host_header_xss = req.api_request(url, "GET", temp_headers)
        try:
            decoded_payload = xss_payload_decode(payload)
            if host_header_xss.text.find(decoded_payload) != -1:
                impact = "Low"
                logs.logging.info("%s is vulnerable to XSS",url)
                print "%s[{0}] {1} is vulnerable to XSS%s".format(impact,url)% (api_logger.G, api_logger.W)
                attack_result = { "id" : 11, "scanid" : scanid, "url" : url, "alert": "Cross Site Scripting", "impact": impact, "req_headers": headers, "req_body":body, "res_headers": host_header_xss.headers ,"res_body": host_header_xss.text}
                dbupdate.insert_record(attack_result)
                break
        except:
            logs.logging.info("Failed to test XSS via Host header:%s",url)
            return


    # Test for Referer based XSS 
    for payload in xss_payloads:
        referer_header_value = 'https://github.com?test='+payload
        referer_header = {"Referer" : referer_header_value}
        temp_headers.update(referer_header)
        ref_header_xss = req.api_request(url, "GET", temp_headers)
        decoded_payload = xss_payload_decode(payload)
        if ref_header_xss.text.find(decoded_payload) != -1:
            impact = check_xss_impact(temp_headers)
            logs.logging.info("%s is vulnerable to XSS",url)
            print "%s[{0}] {1} is vulnerable to XSS via referer header%s".format(impact,url)% (api_logger.G, api_logger.W)
            attack_result = { "id" : 11, "scanid" : scanid, "url" : url, "alert": "Cross Site Scripting via referer header", "impact": impact, "req_headers": temp_headers, "req_body":body, "res_headers": ref_header_xss.headers ,"res_body": ref_header_xss.text}
            dbupdate.insert_record(attack_result)
            return
Exemple #18
0
def xss_get_uri(url,method,headers,body,scanid=None):
    # This function checks for URI based XSS. 
    # http://localhost/?firstname=<payload>&lastname=<payload>
    db_update = ''
    vul_param = ''
    url_query = urlparse.urlparse(url)
    parsed_query = urlparse.parse_qs(url_query.query)
    if parsed_query:
        for key,value in parsed_query.items():
            try:
                result = ''
                logs.logging.info("GET param for xss : %s",key)
                xss_payloads = fetch_xss_payload()
                for payload in xss_payloads:
                    # check for URI based XSS
                    # Example : http://localhost/?firstname=<payload>&lastname=<payload>
                    if result is not True:
                        parsed_url = urlparse.urlparse(url)
                        xss_url = parsed_url.scheme+"://"+parsed_url.netloc+parsed_url.path+"?"+parsed_url.query.replace(value[0], payload)
                        xss_request = req.api_request(xss_url,"GET",headers)
                        decoded_payload = xss_payload_decode(payload)
                        if xss_request.text.find(decoded_payload) != -1:
                            impact = check_xss_impact(xss_request.headers)
                            logs.logging.info("%s is vulnerable to XSS",url)
                            print "%s[{0}] {1} is vulnerable to XSS%s".format(impact,url)% (api_logger.G, api_logger.W)
                            if db_update is not True:
                                attack_result = { "id" : 11, "scanid" : scanid, "url" : xss_url, "alert": "Cross Site Scripting", "impact": impact, "req_headers": headers, "req_body":body, "res_headers": xss_request.headers ,"res_body": xss_request.text}
                                dbupdate.insert_record(attack_result)
                                result,db_update = True,True
                                vul_param += key
                            else:
                                result = True
                                if vul_param == '':
                                    vul_param += key
                                else:
                                    vul_param += ','+key                  
        
            except:
                pass

    else:
        logs.logging.info("XSS: No GET param found!")
        if vul_param:
            # Update all vulnerable params to db.
            logs.logging.info("%s Vulnerable Params:",vul_param)
            dbupdate.update_record({"scanid": scanid}, {"$set" : {"scan_data" : vul_param+" parameters are vulnerable to XSS"}})
def security_headers_missing(url, method, headers, body, scan_id=None):
    # checks if a security header is missing
    resp = req.api_request(url, method, headers, body)
    res_headers = resp.headers
    res_body = resp.text
    cookies = resp.cookies
    csp_check(url, method, headers, body, scan_id, res_headers, res_body)
    xss_protection_check(url, method, headers, body, scan_id, res_headers,
                         res_body)
    x_frame_options_check(url, method, headers, body, scan_id, res_headers,
                          res_body)
    x_content_type_options_check(url, method, headers, body, scan_id,
                                 res_headers, res_body)
    hsts_check(url, method, headers, body, scan_id, res_headers, res_body)
    cookies_check(cookies, url, method, headers, body, scan_id, res_headers,
                  res_body)
    check_version_disclosure(url, method, headers, body, scan_id, res_headers,
                             res_body)
Exemple #20
0
def crlf_get_url_method(uri, headers, scanid=None):
    # This function checks CRLF through GET URL method.
    crlf_payloads = fetch_crlf_payload()
    for payload in crlf_payloads:
        parsed_uri = urlparse.urlparse(uri).scheme + "://" + urlparse.urlparse(
            uri).netloc + urlparse.urlparse(uri).path + "/" + payload
        crlf_get_method = req.api_request(parsed_uri, "GET", headers)
        for name in crlf_get_method.headers:
            if "CRLF-Test" in name:
                attack_result = {"id": 13, "scanid": scanid, "url": parsed_uri,
                                 "alert": "CRLF injection", "impact": "High",
                                 "req_headers": headers, "req_body": "NA",
                                 "res_headers": crlf_get_method.headers,
                                 "res_body": crlf_get_method.text}
                dbupdate.insert_record(attack_result)
                print "[+]{0} is vulnerable to CRLF injection".format(
                    parsed_uri)
                return
Exemple #21
0
def redirection_get_uri(url, method, headers, body, scanid):
    # This function checks for URI based redirection.
    # Ex: http://localhost?url=<redirection URL>
    url_query = urlparse.urlparse(url)
    parsed_query = urlparse.parse_qs(url_query.query)
    for key, value in parsed_query.items():
        redirect_name = fetch_redirection_names()
        for name in redirect_name:
            if name == key:
                redirection_payload = fetch_open_redirect_payload()
                for payload in redirection_payload:
                    if '=' in payload:
                        payload = payload[payload.find('=') + 1:].replace(
                            '{target}', redirection_url)
                    else:
                        payload = payload.replace('{target}', redirection_url)
                    parsed_url = urlparse.urlparse(url)
                    redirect_url = (
                        parsed_url.scheme + "://" + parsed_url.netloc +
                        parsed_url.path + "/?" +
                        parsed_url.query.replace(value[0], payload))
                    fuzz_req = req.api_request(redirect_url, "GET", headers)
                    if str(fuzz_req.status_code)[0] == '3':
                        if fuzz_req.headers['Location'].startswith(
                                redirection_url) is True:
                            print "%s[Medium] {0} is vulnerable to open " \
                                  "redirection%s".format(url)\
                                  % (api_logger.Y, api_logger.W)
                            logs.logging.info(
                                "%s is vulnerable to open redirection",
                                redirect_url)
                            attack_result = {
                                "id": 12,
                                "scanid": scanid,
                                "url": redirect_url,
                                "alert": "Open redirection",
                                "impact": "Medium",
                                "req_headers": headers,
                                "req_body": body,
                                "res_headers": fuzz_req.headers,
                                "res_body": "NA"
                            }
                            dbupdate.insert_record(attack_result)
                            return
Exemple #22
0
def redirection_post_method(url, method, headers, body, scanid):
    # Check for POST based open redirection.
    temp_body = {}
    for key, value in body.items():
        param_names = fetch_redirection_names()
        for name in param_names:
            if key == name:
                payloads = fetch_open_redirect_payload()
                for payload in payloads:
                    if "=" in payload:
                        payload = payload[payload.find('=') + 1:].replace(
                            '{target}', redirection_url)
                    else:
                        payload = payload.replace('{target}', redirection_url)

                    temp_body.update(body)
                    temp_body[key] = payload
                    post_req = req.api_request(url, "POST", headers, temp_body)
                    if str(post_req.status_code)[0] == '3':
                        if (post_req.headers['Location'].startswith(
                                redirection_url) is True):
                            print "%s[Medium] {0} is vulnerable to open " \
                                  "redirection%s".format(url)\
                                  % (api_logger.Y, api_logger.W)
                            logs.logging.info(
                                "%s is vulnerable to open redirection", url)
                            attack_result = {
                                "id": 12,
                                "scanid": scanid,
                                "url": url,
                                "alert": "Open redirection",
                                "impact": "Medium",
                                "req_headers": headers,
                                "req_body": body,
                                "res_headers": post_req.headers,
                                "res_body": "NA"
                            }
                            dbupdate.insert_record(attack_result)
                            return
Exemple #23
0
def jwt_none(url,
             method,
             headers,
             body,
             jwt_loc,
             jwt_key,
             jwt_token,
             jwt_data,
             scanid=None):
    #Check for algo None vulnerability.
    encoded_jwt = jwt.encode(jwt_data, '', algorithm='none')
    if jwt_loc == "url":
        url = url.replace(value[0], encoded_jwt)
    if jwt_loc == "header":
        headers[key] = encoded_jwt

    jwt_request = req.api_request(url, method, headers, body)
    if str(jwt_request.status_code)[0] == '5' or str(
            jwt_request.status_code)[0] == '4':
        pass
    else:
        print(
            "%s[+]API is vulnearalbe to JWT none algo vulnerability%s".format(
                url) % (api_logger.R, api_logger.W))
        attack_result = {
            "id": 8,
            "scanid": scanid,
            "url": url,
            "alert": "JWT none Algorithm vulnerability",
            "impact": "High",
            "req_headers": headers,
            "req_body": body,
            "res_headers": jwt_request.headers,
            "res_body": jwt_request.text
        }

        dbupdate.insert_record(attack_result)
        return True
Exemple #24
0
def get_new_task_id():
    # Create a new task for scan
    new_task_url = base_url + "/task/new"
    new_task = req.api_request(new_task_url, "GET", api_header)
    if new_task.status_code == 200:
        return json.loads(new_task.text)['taskid']
Exemple #25
0
def auth_check(url, method, headers, body, scanid=None):
    # This function removes auth header and check if server is accepting request without it
    temp_headers = {}
    temp_headers.update(headers)
    try:
        attack_result = {}
        auth_headers = fetch_auth_config("auth_headers")
        auth_fail = fetch_auth_config("auth_fail")
        session_headers = headers
        for auth_header in auth_headers:
            for key, value in temp_headers.items():
                if key.lower() == auth_header.lower():
                    del temp_headers[auth_header]
                    updated_headers = temp_headers
                    logs.logging.info("Auth header is %s", auth_header)
                    auth_request = req.api_request(url, method,
                                                   updated_headers, body)
                    if auth_request.status_code == 401:
                        logs.logging.info(
                            "API requires authentication hence it's not vulnerable %s",
                            url)
                        return
                    elif auth_request.status_code == 200 or auth_request.status_code == 400:
                        # Check for false positive
                        for fail_name in auth_fail:
                            if fail_name.lower() in auth_request.content.lower(
                            ):
                                logs.logging.info(
                                    "API requires authentication hence it's not vulnerable %s",
                                    url)
                            else:
                                attack_result.update({
                                    "id":
                                    3,
                                    "scanid":
                                    scanid,
                                    "url":
                                    url,
                                    "alert":
                                    "Broken Authentication and session management",
                                    "impact":
                                    "High",
                                    "req_headers":
                                    updated_headers,
                                    "req_body":
                                    body,
                                    "res_headers":
                                    auth_request.headers,
                                    "res_body":
                                    auth_request.text
                                })

                                dbupdate.insert_record(attack_result)
                                return

                    session_fixation(url, method, temp_headers, body, scanid)

                else:
                    result = False

        if result is False:
            # Marking it as vulnerable if there has no authentication header present in HTTP request
            brokenauth_request = req.api_request(url, method, headers, body)
            attack_result.update({
                "id": 4,
                "scanid": scanid,
                "url": url,
                "alert": "Broken Authentication and session management",
                "impact": "High",
                "req_headers": headers,
                "req_body": body,
                "res_headers": brokenauth_request.headers,
                "res_body": brokenauth_request.text
            })
            dbupdate.insert_record(attack_result)

            # Test for session fixation
            session_fixation(url, method, updated_headers, body, scanid)
            return
    except:
        print "Failed to test Broken authentication and session management"
Exemple #26
0
def delete_task(task_id):
    # Delete the task once the scan is completed
    delete_task_url = base_url + "/task/" + task_id + "/delete"
    delete_task_req = req.api_request(delete_task_url, "GET", api_header)
    if delete_task_req.status_code == 200:
        return json.loads(delete_task_req.text)['success']